GitLab CI can't pull Docker images - "no basic auth credentials"?

Hi all,

Our Runner has stopped working and after a day of bashing my head against this I’m no closer to understanding what is going on.

Our pipelines use images from an AWS ECS registry, and they fail immediately to pull the specified image:

Running with gitlab-ci-multi-runner 1.11.5 (cbfcb5c)
  on alpine (cde79fa3)
Using Docker executor with image ***.dkr.ecr.******:latest ...
Pulling docker image ***.dkr.ecr.******:latest ...
ERROR: Preparation failed: API error (500): Get https://***.dkr.ecr.******/manifests/latest: no basic auth credentials

Will be retried in 3s ...

With the AWS ECS registry comes the need to be logged in, and so I’ve configured the machine with the AWS CLI and run the $(aws ecr get-login --no-include-email) command. docker pull <image url> works just fine SSHed into the machine.

What is GitLab CI Runner actually saying with the “no basic auth credentials” error? I assume it doesn’t have credentials, but, where does it look? docker pull works fine via SSH, so why wouldn’t it work here?

# cat /etc/gitlab-runner/config.toml
concurrent = 1
check_interval = 0

  name = "alpine"
  url = "http://***/"
  token = "cde***"
  executor = "docker"
    tls_verify = false
    image = "alpine:latest"
    privileged = true
    disable_cache = true
    volumes = ["/cache"]

# cat ~/.docker/config.json 
        "HttpHeaders": {
                "User-Agent": "Docker-Client/17.12.1-ce (linux)"
        "proxies": {
                "default": {
                        "httpProxy": "http://***:3128",
                        "httpsProxy": "http://***:3128"
        "credsStore": "ecr-login"

And the ecr-login credentials store then contains the token granting access to ECR. I set this up following the documentation from AWS ECR.

1 Like

Did you ever got this configured and working with the ecr-login helper?

I did not. I’ve since switched jobs so it’ll be forever unknown what happened :slight_smile: